Chosen-Ciphertext secure PKE from Sender-Binding Encryption

252 / BBB

2026-06-16

Laurin Benz

15:45

IND-CCA2 security is the de facto standard for Public Key Encryption as it allows the scheme to be used in nearly all contexts, most importantly secure messaging. Unfortunately, most IND-CCA2 secure post-quantum PKEs are secure only in the ROM because they rely on the FO transformation, and their standard model counterparts are orders of magnitude less efficient. Identity based encryption (IBE) and tag-based encryption (TBE) are two variants of PKEs, and both feature transformations allowing the creation of IND-CCA2 secure PKE. As the original IBE and TBE schemes only need to satisfy selective identity and selective tag security respectively, and the transformations are in the standard model, this enables the creation of standard model post-quantum IND-CCA2 secure PKEs.
Beskorovajnov et al. showed that there exists an even weaker security notion called IND-SB-CPA which is enough to enable secure message transfer (SMT). Additionally, Schwerdt proved recently that IND-SB-CPA is actually a necessary condition for SMT.
In this paper, we give a blackbox transformation from IND-SB-CPA to IND-CCA2 secure PKEs using only weak forms of commitments, MACs and SKEs. From a theoretical point of view this shows that the weakest possible form of PKEs necessary for SMT actually imply IND-CCA2. From a practical point of view we show that combining our transformation with a recent result by Benz and Brede yields a post-quantum IND-CCA2 secure PKE in the standard model with combined key and ciphertext size of only 250KB, improving previous results by an order of magnitude